The basic structure of a wireless local area network (WLAN) defined in IEEE (Institute of Electrical and Electronics Engineers) 802.11 may be shown in FIG. 1, where a station (STA) refers to a terminal device having a wireless local area network interface, and an access point (AP) is equivalent to a base station of a mobile network and is mainly responsible for implementing communication between STAs or between an STA and a relevant device of a wired network. Multiple STAs may access the same AP. STAs associated with the same AP constitute a basic service set (BSS). A distribution system (DS) is used to form a large local area network between different BSSs as well as between a BSS and a wired local area network. A portal device is a logical point for providing data forwarding between a DS and a wired local area network.
In a WLAN system, the service set identifiers (SSID) are generally used to distinguish different wireless local area networks. When different BSSs (which may be identified by using BSSIDs) form a large local area network through a DS, the different BSSs have the same SSID.
Conventionally, a WI-FI protected access (WPA) security mechanism recommended by the wireless fidelity certification (WI-FI, wireless fidelity) alliance is widely applied in a WLAN. The WPA enterprise version (generally referred to various WPA enterprise versions) is implemented based on the 802.1X authentication protocol. A network structure of the 802.1X authentication may be divided into three parts, including an authentication-applying party (that is, a user port access entity, i.e., a user equipment (UE), which in a WLAN may be referred to as an STA), an authentication system, i.e., an authentication entity (AE), and an authentication server (AS).
By default, an AE only allows an authentication message of a UE to pass at the beginning, and the AE allows a service message of the UE to pass only after the UE is authenticated. In a WLAN network, an AS is a remote authentication dial in user service (Radius, Remote Authentication Dial In User Service) server, the AE generally corresponds to an AP, and the UE is an STA.
In an authentication process, an authentication message is transferred between an STA and an AP. There is an association process between the STA and the AP before the authentication starts in a WLAN. Therefore, the STA and the AP both have learnt an air interface media access control (MAC) address (such as a BSSID) of a peer end before the authentication. Therefore, the IEEE 802.1X protocol specifies that in a WLAN network, all Extensive Authentication Protocol (EAP) authentication messages (including a first message) of a UE must use unicast addresses.
In a WLAN specified in the IEEE 802.1X, a prerequisite for all EAP authentication messages to use the unicast addresses is that an AE must be an AP device (a UE may learn the MAC address (such as a BSSID) corresponding to an air interface of the AP in a process of associating with the AP). A WLAN in a scenario such as a home or a small enterprise may satisfy this condition because the quantity of APs is limited in the scenarios where small amount of work is required for configuring each AP as an AE. This authentication deployment mode may be referred to as distributed authentication deployment.
As the technologies develop, a large number of large WLANs suitable for a large enterprise or operator are deployed, and a large WLAN has a huge number of APs. To ease management burden, thin AP networking is generally used at present. In this case, an AE device may be deployed on an access controller (AC) or deployed on a multi-service control gateway (MSCG) device on the AC. The authentication deployment mode of deploying an AE device on a device such as an AC or an MSCG in a centralized way may be referred to as centralized authentication deployment.
The prior art has at least the following problems: An AE in centralized authentication deployment is not an AP device; therefore, a UE cannot learn a MAC address of the AE before authentication. However, the IEEE 802.1X protocol specifies that all EAP authentication messages (including a first message) of a UE must use unicast addresses. In such a case, the authentication cannot be completed according to the existing mechanism.